Stevie Graham, a London-based developer, recently submitted a bug report to Facebook outlining what he saw as a security vulnerability in Instagram that would allow someone to hijack a user’s session based on data captured over a public Wi-Fi network. When he was told that he wouldn’t get a bug bounty from Facebook, which owns Instagram, he tweeted about it—and set about building a proof-of-concept tool to exploit it. “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts,” he wrote. “Pretty serious vuln, FB. please fix.”

Further Reading

As we reported in our recent coverage of mobile application privacy holes, Instagram uses HTTP for much of its communications, passing the user’s account name and an identifying account number in the clear. And as Graham demonstrated, there are other pieces of data sent between Instagram’s iOS client and the service that are passed in the clear. Even though the user’s credentials are submitted using a secure connection, information passed back by Instagram’s application interface to the phone client provides a cookie that can be used on the same network without reauthentication to connect via the Web to Instagram as that user and gain access to private messages and other data. “Once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP,” he wrote. Graham said that he has known about the flaw for years.

This is the problem with bug bounty programs. If you don't actually award the bounty to somebody who thinks they earned it, they will write a tool, to exploit said bug.

And issue #2 with bounty programs, Facebook will now hand this individual over to the authorities for authoring the exploit. He will now not only not get the bounty, but will also be labeled a criminal.

This is the problem with bug bounty programs. If you don't actually award the bounty to somebody who thinks they earned it, they will write a tool, to exploit said bug.

I don't see that as being a problem. He did the right thing and reported it. If Facebook chose to drop the ball, well that's their fault for not living up to their promises. At least they know, and had some time to fix it (whether they used that time or squandered it). Without the bug bounty program, they wouldn't have had the opportunity at all.

This is the problem with bug bounty programs. If you don't actually award the bounty to somebody who thinks they earned it, they will write a tool, to exploit said bug.

And issue #2 with bounty programs, Facebook will now hand this individual over to the authorities for authoring the exploit. He will now not only not get the bounty, but will also be labeled a criminal.

Ain't the system great?

If it's not a bug then it's an intended use of their software. Ergo, no prosecution.

This is the problem with bug bounty programs. If you don't actually award the bounty to somebody who thinks they earned it, they will write a tool, to exploit said bug.

What is the criteria for being rewarded for a bug? I have never heard of FB actually rewarding anyone for finding a flaw just lots of stories like this where they have refused.

As for the flaw I am betting that this same exploit could be used against a litany of apps and services. Public WiFi is so easily exploitable, smartphones so leaky and there are so many poorly written apps that tricks like this are an inevitable reality.

This is the problem with bug bounty programs. If you don't actually award the bounty to somebody who thinks they earned it, they will write a tool, to exploit said bug.

What is the criteria for being rewarded for a bug? I have never heard of FB actually rewarding anyone for finding a flaw just lots of stories like this where they have refused.

As for the flaw I am betting that this same exploit could be used against a litany of apps and services. Public WiFi is so easily exploitable, smartphones so leaky and there are so many poorly written apps that tricks like this are an inevitable reality.

Yep. And it's been proven, time and time again, that the only way to get a fix is to exploit it. Firesheep was what pushed FB and others to use https, long after it was known to be problem.

OK, so the guy talks about "open" or "WEP" Wi-Fi networks where this works. How about WPA2? More info would be nice.

I imagine it would work on any network you're able to connect to.

He likely specifies open and WEP because they're practically the same to anyone with the skills to do this.

It's more difficult with WPA2. Traffic for each client is encrypted with separate keys, not broadcast to all clients and encrypted with the same key.

There are apparently some ways to force a reconnect and observe the negotiation and grab client-specific keys if you have the shared key for a WPA2 network, but I don't have any direct experience with that.

OK, so the guy talks about "open" or "WEP" Wi-Fi networks where this works. How about WPA2? More info would be nice.

I imagine it would work on any network you're able to connect to.

He likely specifies open and WEP because they're practically the same to anyone with the skills to do this.

It's more difficult with WPA2. Traffic for each client is encrypted with separate keys, not broadcast to all clients and encrypted with the same key.

There are apparently some ways to force a reconnect and observe the negotiation and grab client-specific keys if you have the shared key for a WPA2 network, but I don't have any direct experience with that.

This is the problem with bug bounty programs. If you don't actually award the bounty to somebody who thinks they earned it, they will write a tool, to exploit said bug.

Even without bounty programs, there have been reports of white hats going too far when organizations don't patch reported holes.

I much prefer a white hat who spots a bug the company refuses to fix publicly announcing it and writing a tool freely available to everyone to exploit it rather than leaving the bug exploitation as the sole province of hackers and the government. If companies won't do the right thing they need to be made to.

That's VERY different from what he made it sound, I.e. as if FB didn't consider it a bug and refuses to fix it.

It looks more like duplicate issues aren't eligible for bounties (which kinda makes sense, otherwise huge groups of people could just submit the same issue to make money), he is angry and out for public revenge. I might be misjudging his intentions, but he definitely seems to think he is free to do anything and be "the good guy" based on just the fact his ticket was closed.

At least they know, and had some time to fix it (whether they used that time or squandered it). Without the bug bounty program, they wouldn't have had the opportunity at all.

True, but now facebook has shown that they can't be trusted. If this guy is able to create a working exploit, that proves that it's a bug facebook should have paid out for. Now, people are going to be a lot less interested in participating in the program, since they don't know if facebook is really going to pay up.

Coincidentally, I was discussing this exact kind of attack with a coworker less than an hour ago. The solution is so trivial too: HTTPS. All the time. Can't steal encrypted cookies as easily as ones in plaintext.

I believe your question may require some rephrasing: "What DOESN'T one do with a hijacked instagram account?" amirite? lol.

But seriously, it's a tiny hole that most competent home network users would otherwise never really have to worry about because nobody who knows what they're doing uses WEP anymore.

No one cares about what you do in your house - this is about public wi-fi.

You obviously haven't met my mother in law. And that friend of hers, the one who told my wife she saw me at a restaurant with a tramp and was therefore cheating. Sure, my sister shows her knees, but [obscenity].Disclaimer: I'm not married, and my sister only dresses like a tramp for Halloween.

Coincidentally, I was discussing this exact kind of attack with a coworker less than an hour ago. The solution is so trivial too: HTTPS. All the time. Can't steal encrypted cookies as easily as ones in plaintext.

As Ars has documented, going to a pure HTTPS solution can be troublesome. Can you just encrypt the cookie exchange?

Coincidentally, I was discussing this exact kind of attack with a coworker less than an hour ago. The solution is so trivial too: HTTPS. All the time. Can't steal encrypted cookies as easily as ones in plaintext.

As Ars has documented, going to a pure HTTPS solution can be troublesome. Can you just encrypt the cookie exchange?

Cookies are just HTTP headers, so not really. Encrypting just the cookie doesn't help, because then the attacker could just grab the encrypted cookie and send that instead (and it's already encrypted, he doesn't need to know the key). You have to keep in mind, most session cookies don't store any real data, just a random value that serves as the key to look up the user's session in some kind of key-value store.

But seriously, it's a tiny hole that most competent home network users would otherwise never really have to worry about because nobody who knows what they're doing uses WEP anymore.

Sadly that's not 100% true.My mother in law has a not-so-recent laptop that * isn't capable to use WPAx under WindowsXP. I tried a different network-cards (Intel, Realtek), but still the thing would refuse to connect to anything but WEP (or open off course). Weirdest and most frustrating thing ever.* Since XP is 'out' nowadays I've switched her to Lubuntu and although I am able to get the machine to connect on WPA now via [wcid], it's simply not usable as [wpa_supplicant] eats up so many CPU-cycles it literately brings the rest of the machine to it's knees whenever there is network-traffic. Evidently this makes things like browsing the web or VOIP totally impossible.

So, yes I more or less know what I'm doing but I still can't use anything but WEP. I'm considering adding MAC filtering, but then again, that's even less work to circumvent than getting around WEP.